The most salacious headline last week from the BlackHat Conference was the announcement in NY Times that Russian Hackers had amassed a 1.2 Billion User email and password database. The database included identities from sites that still had known vulnerabilities and the company that released the news and independently validated the database was not at liberty to release the names of those companies. This is the best practice response to known vulnerabilities but it ultimately leaves the user at risk and ultimately wondering who is looking out for them. Therefore, I have put together this quick 5 step action plan that users can do, if they are worried about protecting their identities and financial data.
1. Change your password: If you are one of the many users who uses the same password for multiple sites, you should change your password on your most important financial sites that use that password. If you want to use a tool to help you with this process and implement better password management across sites skip to #2. If you don’t want to use a Password Management tool then please use the following strategy. Choose 3 passwords that you can remember using the following strategy below. You can create one for your financial sites, one for email and social media sites, and one for everything else.
Creating a good password with decent entropy is really easy by using what I call the sentence method. This is certainly not a new technique and I can’t remember where I first learned the technique so I would normally attribute the method here. Here is how it works: One, create a sentence that you can remember e.g. “My favorite teacher in 3rd grade was Mrs. Smith who wore glasses and was a star”; two, take the first letter of each word in the sentence and include a number and special character e.g. Mfti3gwMSwwgawa*. Some websites won’t allow special characters because they are worried about across site scripting vulnerabilities so if your financial institution is one of those then use the word star instead of the special character. If you want a shorter version, create a shorter sentence. There are variations of this that allow you to take the last letter of the word in the sentence or second letter, etc.
2. Get a Password Manager: The password vault/managers have been on the scene long enough to prove their worth and security to users. If you are writing down your passwords on a note card and storing it in your top drawer in your office or at home then this is the tool for you. These tools work on mobile devices as well as browsers and can create really strong passwords for you if you don’t want to create your own like above. The great thing about these tools is not just the management but they can create a unique password for each site you visit and thus can limit your risk.
Top 3 Password Managers:
1. LastPass, (Tried and true, very good security and support across all devices)
2. KeePass, (Open and really good software)
3. 1Pasword (Mobile support impressive, Even works with TouchID so if you use IOS this is great tool for you)
3. Turn on Free Fraud Protection: Each of the different credit agencies has a free feature they can turn on at your request. Here is a link to Experian’s simple three step process to turn on 90 day fraud alert for your account click here.
Of course, when a large honeypot of passwords is released into the wild, monitor your email for notifications about unusual traffic. Most sites today have adaptive authentication techniques in place that monitor for unusual activity (e.g. authentication traffic from unusual IP address, devices, etc.) and will notify you of suspicious activity.
It goes without saying, don’t click on the links in the email’s that are sent to you. Go to the site directly to change a password or update information.
For other identity or security wonks that are reading this blog, please let me know if you have other suggestions for users.